Anatomy of a Database Security Assessment

Anatomy of a Database Security Assessment

by | Oct 22, 2014 | Database Security, Oracle DBA

Data security is not a “set it and forget it” condition—it’s highly dynamic, changing as your environment evolves, new threats appear and new vulnerabilities are introduced. And as the recent rash of high-profile breaches in retail databases illustrate, securing your databases is at least as important as securing other parts of your infrastructure.

The end of the year is often a time when we get things organized and throw out what we don’t need. It’s also a great time to schedule a database security assessment and rid your organization of some data security vulnerabilities you definitely don’t need, like obsolete user and test accounts and inappropriate access privileges.

A database security assessment with Buda Consulting will identify and report on the full spectrum of vulnerabilities in your environment, including misconfiguration, non-applied security patches and “open door” passwords. It will also tell you exactly which vulnerabilities are most critical to mitigate.  

We start with a discovery scan, which searches your entire network using automated tools and inventories all the database signatures it finds. This is the best way to locate “rogue” databases that users spin up on their own, which may contain confidential data and often don’t follow security policy.

Next we perform a password scan, which is a form of penetration test. We try to connect to all your databases by throwing easily guessed passwords (e.g., “user” and “123456”) at them. Do you have standard system accounts on older databases that aren’t locked and have default passwords that haven’t been changed? This scan will find them.

It’s amazing how much sensitive enterprise data is just waiting to be exposed in this way. For example, we discovered awhile back that one of our clients was using the default username and password for a very privileged account. I warned them that this was a critical vulnerability, but they failed to fix it and shortly thereafter were hacked big-time. It took them several weeks and an embarrassing amount of money to restore their systems and data.

The third part of the assessment is a comprehensive vulnerability scan. Our automated toolset will quickly uncover missing patches, configuration problems, and problematic settings or practices that can leave you vulnerable to escalation of privilege attacks, Denial of Service (DoS) and other forms of cybercrime.

Perhaps the most important part of the assessment is what we do with the thousands of vulnerabilities that our tools will almost certainly generate. We sit down with your DBAs and boil that list down to the critical vulnerabilities in your environment, which you should address immediately. We also check off the problems for which you have mitigating controls already in place.

Along with all that vulnerability scanning comes a “user rights review.” This is a check for user access that is authenticated at the database level (as opposed to the application level). This is a great way to root out “developer” or “test” accounts that are no longer needed but haven’t been disabled, leaving a hole for attackers to burrow into your data stores. It also exposes “least privilege” vulnerabilities that otherwise get lost in the details. This review identifies what database accounts have access to sensitive data, and how they received that access. Was access granted directly to that username, and by whom? Or is it conferred to a role assigned to that user?

Since applications commonly authenticate users at the application level instead of the database level, it is important to perform similar user access rights reviews within the applications as well. This kind of review varies greatly depending on the way authentication is handled and how the access privilege information is stored in the database.  We can work with you and your application vendor to develop a user rights review for your application.

In-house DBAs often don’t have the objectivity (or the time) necessary to perform a database security assessment. Plus it takes skill and experience to run the tools and whittle down the vulnerabilities to specify what must be fixed, what it would be nice to fix, and what can be addressed indirectly through mitigating controls. Otherwise you just have a bewildering list of vulnerabilities that, in and of itself, is of little value in improving your security posture.

Download  Buda Consulting Database Security Assessment for a full description of our Security Assessment using Trustwave AppDetective Pro.

Anatomy of a Database Security Assessment

Top Oracle Database Security Threats Come from the Inside

by | Sep 20, 2014 | Oracle DBA

Your Oracle databases contain some of your company’s most valuable assets: financial data, customer data, intellectual property, corporate secrets and so on. That means they’ll be among the top targets of cybercriminals—both outside and inside the firewall.

The fact that they sit behind your network doesn’t mean your Oracle databases aren’t vulnerable. And with the increase in the number and usage of databases, the frequency of attacks is also on the rise.

While threats to corporate data are diverse, database security experts put one threat at the top: your own Oracle DBAs and system administrators. These employees can gain access to sensitive data as well as configure systems, modify databases and grant or alter access controls. Sometimes software developers can also see and manipulate sensitive data as it moves through development and test environments.

Insider threats come in two primary forms:

  • Excessive privilege abuse—when database users are granted privileges that exceed what they need to do their jobs, and they abuse them deliberately.
  • Legitimate privilege abuse—when database users use privileges they legitimately need for unauthorized reasons.

The classic example of excessive privilege abuse is the whole chain of unnecessary access permissions that enabled Edward Snowden, a sysadmin, to blow the whistle on the NSA. Another example would be a software developer who takes advantage of vulnerabilities in the code she’s working with to give herself administrative privilege and access data or even financial accounts.

An all-to-common example of legitimate privilege abuse is a harried employee who takes paper records containing personally identifiable information (PII) home in her briefcase, in flagrant violation of company policy that nobody seems to care much about, so she can get caught up. She pops into a coffee shop, the briefcase is stolen from her car, and her organization must deal with public embarrassment and fines from regulators.

To deal with both malicious and “innocent” insider threats to your Oracle data, you need to know that your Oracle DBAs and others have only the privileges they require. You also need strong security policies and reliable means to monitor, enforce and educate employees about them.

To ensure Oracle database security from the inside out, it’s highly recommended to seek support from a trusted, unbiased expert outside the organization. A database security assessment is notoriously difficult to perform with in-house resources, for a variety of reasons. For example, employees are often “too close” to how things work now to spot vulnerabilities or make the best recommendations. Employees also can sometimes be resistant to recommending and supporting effective change. Office politics can also play a negative role in “gap assessment” and enforcing security controls.

Finally and most importantly, database security assessment requires expertise and a holistic perspective, as well as automated tools. There are important steps you need to take, both inside and outside Oracle, to secure your data and the systems and processes that operate on it. Database security is critical to the health and welfare of your organization—don’t leave it to chance.

Contact Buda Consulting to start a conversation on how to cost-effectively ensure and verify your Oracle database security.